This Opportunity Is Being Released to Trustohio Contractors Pre-Qualified As a Result

NOTICE

This opportunity is being released to TrustOhio Contractors pre-qualified as a result of RFP #0A1181.

ONLY Contractors pre-qualified in Penetration Testing are eligible to submit proposal responses AND to submit inquiries. The State does not intend to respond to inquiries or to accept proposals submitted by organizations not pre-qualified for this Contract.

An alphabetical listing of Contractors pre-qualified to participate in this opportunity follows:

Accenture
AIS
CGI Technologies and Solutions, Inc.
Enterprise Services
IBM
Interhack
MicroSolved
Synack

Statement of Work Solicitation Template

/ State of Ohio
Bureau of Workers’ Compensation Name]
Penetration Test
Project Statement of Work / TrustOhio Solicitation ID No. / Solicitation Release Date
TRUST-18-01-004 / December 5, 2017
Section 1:Purpose
The purpose of this Project Statement of Work (SOW) is to provide The Ohio Bureau of Workers’ Compensationwith information technology services in Penetration and Vulnerability Testing Services and Security Auditing Services (0A1181). A pre-qualified Contractor, herein after referred to as the “Contractor”, will furnish the necessary personnel, equipment, material and/or services and otherwise do all things necessary for or incidental to the performance of work set forth in Section 3, Scope of Work.
Table of Contents
Section 1: Purpose
Section 2: Background Information
Section 3: Scope of Work and Required Deliverables
Section 4: Evaluation Criteria
Section 5: Staffing and Rates
Section 6: SOW Solicitation Calendar of Events
Section 7: Required Documentation and Submission Instructions & Location
Timeline
SOW Solicitation Release to Pre-Qualified Contractor: / 12/1/2017
Proposal Response Due Date: 12/15/2017 / by 1:00 PM
Columbus, OH (local time)
Section 2:Background Information
Agency Information
Agency Name / Ohio Bureau of Workers’ Compensation
Contact Name / JacLynn Romine / Contact Phone / 614-466-6806
Bill to Address / 30 W. Spring St. Columbus, OH 43215
Section 3: Scope of Work and Required Deliverables
Description of Scope of Work
BWC is looking to select a best-fit vendor to perform a Penetration Test.
This testing must include the following items:

• Electronic pen testing of the following systems:
• VPN connectivity (unauthorized access into data or connectivity through VPN – this should include both our SSL and IPSEC VPN connections)
• 802.11 technologies (Unauthorized access into the Wi-Fi network)
• ISE (Unauthorized equipment placed on BWC’s network)
• Current Production Ohio BWC Website
• Performance Test ODX Website
• Production ODX Website. This portion of the test will need to be scheduled for February, 2018 because this is when BWC is scheduled to migrate its website to the Production ODX platform.
• WAN Links (unauthorized access to links & data)
• Externally-facing SharePoint
• Web Chat
• Externally-facing Web Services
• FTP Site
• ODX AWS S3 -- Simple Storage Solution for the State of Ohio
• Social engineering:
• Ability to get an employee to click on a link in a phishing email sent to them.
• If the employee clicks, ability to talk outbound to a command and control server.
• If the employee clicks, ability to gain unauthorized access to accounts of passwords via the social engineering exercise.
• Simulated Phishing Attack on Endpoint Computer:
• Ability of malware to run on the machine
• If the malware can run, then ability of the malware to encrypt a file
• If malware can run, then ability of the malware to find a sensitive file containing a Social Security Number on our network drives
• If malware can run, then ability of the malware to reach other endpoints or servers

All security testing efforts are to be done in a non-destructive manner with minimal impact to our customers and never should any confidential information be compromised or shared with another party.
State Required Deliverables Due Date
Deliverable Name and Brief Description
Penetration Test Report
The deliverable must be a Penetration Test Report, which details the vulnerabilities found in each portion of the test, and which includes a risk rating for each vulnerability. The Penetration Test Report must also include an executive summary outlining the scope of thetest, a high-level description of any significant issues, and an overall risk rating for the Agency. / Reports due within 30 days of completed testing.
Section 4: Evaluation Criteria
Scored Criteria / Weight / Does Not Meet / Meets / Exceeds
Contractor’s Solution to Scope of Work / 50 / 0 / 5 / 7
Contractor’s Proposed Tools / 20 / 0 / 5 / 7
Contractor’s Proposed Staffing / 20 / 0 / 5 / 7
Cost Evaluation
The State will calculate the offeror’s Cost Proposal points using the following method:
The number of points assigned to the cost evaluation will be prorated, with the lowest accepted cost proposal given the maximum number of points possible for this criterion. Other acceptable cost proposals will be scored as the ratio of the lowest price proposal to the proposal being scored, multiplied by the maximum number of points possible for this criterion.
An Example for calculating cost points, where Maximum Available Cost Points Value = 70 points, is the scenario where Offeror X has proposed a cost of $100.00. Offeror Y has proposed a cost of $110.00 and Offeror Z has proposed a cost $120.00. Offeror X, having the lowest cost, would get the maximum available 70 cost points. Offeror Y’s cost points would be calculated as $100.00 (Offeror X’s cost) divided by $110.00 (Offeror Y’s cost) equals 0.90 times 70 maximum points, or a total of 63.63 points. Offeror Z’s cost points would be calculated as $100.00 (offeror X’s cost) divided by $120.00 (Offeror Z’s cost) equals 0.833 times 70 maximum available points, or total of 58.31 points.
Section 5:Staffing and Rates[Contractors should only complete either the Rate Card Section (5.1) or the Flat Fee Amount Section (5.2)]
5.1 SOW Staffing and Rate Card
Contractor Name / Rate Card Role / Contractor or
Sub-contractor? / Work Location (State / Offsite) / No. Hours / Hourly Rate
$
$
$
5.2 Flat Fee Amount
$
5.3 Additional Information for Rates
Travel and expenses MUST be included in this cost, as BWC cannot and will not reimburse for travel and expenses.
Section 6:SOW Solicitation Calendar of Events
Firm Dates
SOW Solicitation Released to Pre-qualified Contractors: / December 5, 2017
Proposal Response Due Date: / December 15, 2017
Anticipated Dates
Estimated Date for Selection of Awarded Contractor: / December 2017
Estimated Commencement Date of Work: / January 2018
All times listed are Columbus, Ohio local time.
Section 7: Required Documentation and Submission Instructions & Location
Required Documentation:
Contractor’s Solution to Scope of Work
Contractor must describe the plan to perform a Penetration Test for the BWC. Plan must address the Scope of Work in Section 3 of this document. It must also describe how the efforts will be done in a non-destructive manner with minimal impact to BWCcustomers and confirm that confidential information will not be compromised or shared with another party.
Contractor’s Proposed Tools
Contractor must describe the tools that will be used as part of a Penetration Test.
Contractor’s Proposed Staffing
Contractor must submit resumes (Contractor and subcontractor) of the key people who will actually work on this project at BWC.
Contractor must identify Contractor and subcontractor staff and time commitment and an organizational chart for the entire team.
Submit hourly rates or a flat fee. Travel and expenses MUST be included in the cost, as BWC cannot and will not reimburse for travel and expenses.
Submission Instructions and Location:
Each Pre-Qualified Contractor must submit 7complete, sealed and signed copies of its Proposal Response and each submission must be clearly marked “Penetration and Vulnerability Testing Services and Security Auditing Services” on the outside of its package along with Pre-Qualified Contractor’s name.
A single electronic copy of the complete Proposal Response must also be submitted with the printed Proposal Responses. Electronic submissions must be on a CD.
Each proposal must contain an identifiable tab sheet preceding each section of the proposal. Proposal Response must be good for a minimum of 60 days.
The State will not be liable for any costs incurred by any Pre-Qualified Contractor in responding to this SOW Solicitation, even if the State does not award a contract through this process. The State may decide not to award a contract at the State’s discretion. The State may reject late submissions regardless of the cause for the delay. The State may also reject any submissions that it believes is not in its interest to accept and may decide not to do business with any of the Pre-Qualified Contractors responding to this SOW Solicitation.
Proposal Responses MUST be submitted to the State Agency’s Representative:
Matthew Ortiz
Department of Administrative Services
Security and Privacy Division
1320 Arthur E Adams Dr.,
Columbus, OH 43221

1 | Page